Set audit permissions in the AD object SACLs
After you configure the audit policies for the domain controllers, set the audit permissions (or system access control list [SACL]) for the Active Directory objects.
The Manage auditing and security log user right is required to configure the SACL (which corresponds to the SeSecurityPrivilege privilege). You must be a member of the event log reader or domain administrator group.
Configuring the SACL is only required for one of the domain controllers. All other domain controllers receive the configuration through replication.
- Select a domain controller in your deployment.
-
On the domain controller, open the Active Directory Users and Computers console.
Open a Run window and run:
dsa.msc
(Screenshot property of © 2020 Microsoft)
-
In the Active Directory Users and Computers console, click View > Advanced Features.
(Screenshot property of © 2020 Microsoft)
-
In the left menu, locate the domain you want to monitor.
-
Right-click the targeted domain and select Properties.
(Screenshot property of © 2020 Microsoft)
-
In the properties window, click the Security tab and then click Advanced.
(Screenshot property of © 2020 Microsoft)
-
Click the Auditing tab.
(Screenshot property of © 2020 Microsoft)
-
Review the existing access rights, verifying that the permissions currently exist.
-
If required, expand the access rights of an existing Everyone principal or add the desired entry.
(Screenshot property of © 2020 Microsoft)
The following minimum settings are required:
-
Principal: Everyone
-
Type: All
-
Apply to: This object and all descendant objects
The following permissions are required:
-
Write all properties
-
Delete
-
Delete subtree
-
Modify permissions
-
Create all child objects
-
Delete all child objects
-
-
Save your changes.